Changes between Version 16 and Version 17 of TIEDABACDemo


Ignore:
Timestamp:
07/10/09 20:14:27 (10 years ago)
Author:
faber@isi.edu
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • TIEDABACDemo

    v16 v17  
    5757Once the edge is present, again, showing that Ted has the GPO.demo attribute is a matter of showing the path.
    5858
    59 == Distributed Authorization ==
     59=== Distributed Authorization ===
    6060
    6161In the examples above, creating the paths from principal to attribute that constitute a proof are all done assuming total information in the hands of the prover.  ABAC does not require a prover to hold all such information initally and provides a negotiation protocol to gather it.  We sketch that protocol here.
     
    9494 * A principal must be able to sign assertions
    9595
    96 Any authentication system that establishes a public key meets these requirements, modulo a system to map various key types into a single identifier, e.g. hashing the bits of the keys in a common format.  PGP keys and X.509 certificates directly meet those requirements (even self-signed X.509 certificates will do).  Systems that attest user attributes, like [ http://shibboleth.internet2.edu/ Shibboleth ] can attest a public key/principal as an attribute.  Such systems have the added utility that they can act as external credential stores as well.
     96Any authentication system that establishes a public key meets these requirements, modulo a system to map various key types into a single identifier, e.g. hashing the bits of the keys in a common format.  PGP keys and X.509 certificates directly meet those requirements (even self-signed X.509 certificates will do).  Systems that attest user attributes, like [http://shibboleth.internet2.edu/ Shibboleth ] can attest a public key/principal as an attribute.  Such systems have the added utility that they can act as external credential stores as well.
    9797
    98 Some principals never attest attributes, e.g., end users.  Such users that are only identifiable by something like an InCommon [http://www.incommonfederation.org/attributesummary.html#eduPersonPrincipalName eduPersonPrincipalName] or kerberos name can be converted to the same principal identifier space by hashing the name along with the namespace (Kerberos,InCommon, etc.) into the same hash space as the public-key based systems.  Some care must be taken with functions and hashspace sizes, but collisions can be made arbitrarily unlikely.
     98Some principals never attest attributes, e.g., end users.  Such users that are only identifiable by something like an !InCommon [http://www.incommonfederation.org/attributesummary.html#eduPersonPrincipalName eduPersonPrincipalName] or kerberos name can be converted to the same principal identifier space by hashing the name along with the namespace (Kerberos, !InCommon, etc.) into the same hash space as the public-key based systems.  Some care must be taken with functions and hashspace sizes, but collisions can be made arbitrarily unlikely.
    9999
    100100When possible binding to a public-key-based identifier is infinitely preferred.
     
    175175
    176176If the environment is open, the GENI principal can simply publish the relevant credential for CTF slice admin (and general) access.  Because each requester now knows the beginning of the graph, they are likely to be able to include the whole proof in their first request, removing a round trip time.
     177
     178In addition, the completed graph completely reflects the decisions made to grant or deny access.  These can be logged as expressive audit trials covering both the decisions and the reasons for those decisions.
     179
     180=== Conclusions ===
     181
     182This example has illustrated some of the key features of ABAC that make it scalable to operate and decentralized to administer while being practical to negotiate access.